Playing With Fire: Running Uploaded Ruby Code in a Sandbox – David Stevenson

Playing With Fire: Running Uploaded Ruby Code in a Sandbox – David Stevenson

Intro

It is still new, but we will get a chance to interact with it live. There will be a competition to see who can compromise the sandbox first.

The prize is a Cupcake, but he has not bought it yet, because he doesn’t think anyone will break out.

Rules are you must break out of the sandbox itself, not compromise his box or the OS.

Why allow user code?

Say you want to make a decision about which folder to use for a user’s mail? You can write a bunch of complex rules, or you could allow your users to upload code to do it.

He makes a reference to the Neal Stephenson book about the Metaverse, where everyone uploads code.

Second Live also has a C metalanguage which allows players to create their own code and three-dimensional objects. In this type of game, the sky is the limit.

Google’s AppEngine is another example. Users can write their own code and run it in a sandbox, but Google handles all the scalability and hidden bits.

Why not allow user code?

Dangerous operations: Code could have errors, or not finish. Someone will upload an infinite loop almost immediately, you need to deal with it.

Knowledge: Are users programmers? Maybe they don’t want to learn a language, even one as easy and nice as Ruby.

API Manipulation: Maybe there are ways that users could manipulate your API in ways you have not even thought of yet…

What is a sandbox

Limited functionality

Can’t break out

Separate code space

There need to be separate code spaces – the user’s space is the “Jungle”

Bounded execution time

Implementations

Freaky-freaky sandbox gem (MRI ruby): By why the lucky stiff with some contributions from David, written in C. It is a big hack, a bit of a disaster, but it works. We’ll get to play with it.

JavaSand gem (JRuby): Same API as Freaky-freaky, but not as much of a hack. JRuby provides more hooks into the internals, so you can do some of the same things that Freaky-freaky does, but without as much hackery and violation of internals.

Rubinius in the future? – Sub-virtual-machines could be used to create a sandbox, maybe even 20 lines of Rubinius. The C implementation is about 2000 lines.

Lets try it out

Expression Evaluator: 2+2 -> 4, etc.

He is creating the rails application from scratch, hopefully the bandwidth holds up. He’s not using Sinatra, because he doesn’t know how to get something scaffolded fast enough in the time constraints of a presentation.

Some dangerous things are NOT accessible in the sandbox, such as File and Kernel.